Lack of role models keeps women out of cyber security

By Emma Jacobs

As a maths undergraduate, Holly Rostill went to a lecture about the internet. The speaker raised the point that, despite people using it every day, few understood its inner workings. This sparked Ms Rostill’s curiosity and she studied computer science modules as part of her degree, including programming, testing systems for vulnerabilities and cryptography. Ultimately this set Ms Rostill on a path that is relatively uncommon for young women: cyber security.

According to trade training body (ISC)2’s 2015 Global Information Security Workforce Study, 10 per cent of those working in the information security profession are women — unchanged from two years ago.

For Ms Rostill, who is now employed by PwC, the professional services firm, the work is “like a puzzle and I see it as a challenge to be solved”. Many of the skills she has developed, she says, are about logic and persistence.

Popular mythology has it that it is teenage boys, who have sat in their bedrooms to hone their hacking skills, who populate the industry. Ms Rostill says that she goes into schools to talk about cyber security and technology to raise interest among young women. “It’s important that we attract the younger generation, to try and break the negative cycle that surrounds the industry for many women.”

The lack of female role models in the field, she says, means a cyber security career can seem unrealistic to most.

Jennifer Steffens, chief executive at IOactive, a cyber security company, says that young women need to be encouraged to get involved in science, technology, engineering and mathematics — so-called Stem-related — activities and classes to make an early impact.

“It’s important that we provide strong role models for young women early in their careers, highlighting female professionals that have successfully broken through gender barriers and are influential,” she says.

Recruiting women is a problem, says Nicole Eagan, chief executive officer of Darktrace, a cyber security company. “Legacy security companies hire from the same pool of men. It is an old-boys’ network.”

Claire Reid, also at PwC, is a partner specialising in risk assurance and process improvement who has worked in technology all her life. She believes that the cyber security industry is seen as an offshoot of “the young hacker culture” and that this deters women. In fact the work is “more than just tech”, she says. “It is a multidisciplinary role. You need people who understand how business and governance works. How to respond to clients, managing data and risk.”

Too frequently the jobs specs are too technical. It might put women off

Claire Reid

Ms Rostill agrees. While she currently has a technical role there are “many different skills required for a job in this field and a huge variety of different areas to get into”.

Tammy Moskites, chief information security officer at Venafi, a cyber security firm, says she enjoys the variety of work. “You get to wear multiple hats as a chief information security officer, often all on the same day. Whether it’s dealing with regulatory or compliance issues to dealing with human resources, through to securing and protecting data — you have to be ready at all times.”

The business and the roles within it are very diverse and require different perspectives, something that women might be well able to supply.

Cheryl Sims-Hancock, an organisational psychologist who works at Deloitte’s cyber security practice, says that the field “is quite difficult for people to get their head around . . . they think they just need technical skills”.

Cyber security is mainly discussed in terms of passwords and hacking, she notes. “But there is a cultural aspect that involves psychological engagement, organisational psychology and is not just about security breaches.”

While clearly the jobs are rooted in technology, professionals working in the field do not necessarily need engineering or coding backgrounds. “Too frequently the specs are too technical”, says Ms Reid. “It might put women off.”

Ms Reid also believes that men and women approach job advertisements differently. “Women need to feel fully qualified to apply for a role whereas men are not so worried about it.”

This is view backed up by (ISC)2’s report, which found that women were more qualified than men.

“Academic achievement is a characteristic of material difference between genders, the report noted. The percentage of women with either a masters or doctoral degree exceeds the percentage of men. For example, of women leaders, 58 per cent have advanced degrees versus 47 per cent of men.”

Ms Steffens makes the point that more could be done to highlight the importance and positive aspects of the work done in the industry, not just its challenges. “When we over-emphasise the challenges, like gender disparity, it can actually be a deterrent to women pursuing cyber security careers.”

Ms Eagan is quick to underline the progress she has seen in 25 years. “When I got involved in the industry there were very few women — that’s changed,” she says.